0

I have a simple button to post comment like this

<button onclick="postComment('384',this);">Post</button>

in function postComment(post_id,element) :

384 means post_id that be commented

I know user can easily changing '384' number with something else, ie.'1000' with firebug or other developer tools. it cause they comment on post that have an id 1000

how to prevent this?

Improve this question
5
  • 2
    If 384 is the only one that the user can comment on, then the server should know that and if it gets any other ID, it knows the response is not valid. Web clients are utterly untrustworthy, so treat them that way. ;-) Commented Jan 2, 2015 at 12:10
  • 1
    Do not handle ids on creating client-side. Instead, send a request to your backend telling it to post a new comment. The backend should figure out the id, potentially responding with it. It seems like you need to do more research on architecture. Commented Jan 2, 2015 at 12:20
  • @RobG: yes, suppose 384 is the only one that the user can comment on.. should we check them every time? Commented Jan 2, 2015 at 12:37
  • @Niels Abildgaard: have you better approach for this? for example there are some post div like this <div id=1>POST 1</div> <div id=2>POST 2</div> ..................... <div id=10>POST 10</div> Then every post has comment input and submit button, what is your method to know that the user comment on certain div without posting the parameter? Commented Jan 2, 2015 at 12:40
  • Ah! Now I understand. But what would be the problem if the user deliberately changed the number in the code and his comment ended up somewhere random? You have to guarantee that he has the rights before posting it, but other than that I don't see the problem. This is similar to visiting a random url on a website: generally not a problem. Commented Jan 2, 2015 at 14:31

2 Answers 2

Reset to default
2

Don't call the function with a parameter. Instead try to let the function itself search for the latest already posted comment id (in a db or elsewhere) and increment that value.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

how can the function itself search for the latest already posted comment id? please help
That really depends on your configuration. Where do you store comments and in which format?
I'm not that familiar with databases but I assume each entry has an ID, right? If that holds, you can simply lookup the ID corresponding to the entry of a single comment.
yes, each entry has an ID. but how can I simply lookup the ID corresponding to the entry of a single comment? please show me with php code
One can not simply lookup the ID of the value of a single comment, since multiple comments can have the same text. More variables are needed to ensure each db entry is unique if you want to lookup its ID. Variables like the name of the author, the date/time, etc... Where do you need this for?
0

on your function: 

postComment(post_id,element)

it means you have

INSERT INTO post ('id', ..., ...) VALUES ($post_id, ..., ...);

recode and fix it (depend on your logic) to 

postComment(element)

check if have insertion from ID on javascript.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.